Are UK companies sleepwalking into a cyber crisis?
Many companies think they excel at cybersecurity – but our research suggests something very different.
UK companies are greatly underestimating their cybersecurity risk. Consequently they may be far more exposed than they imagine.
As part of Lockton’s UK Cyber Security Survey 20171, we asked 200 senior decision makers how they think their cyber risk mitigation compares with other companies in their industry. Interestingly, 60% of companies say they are ‘leading’ or ‘almost leading’ their industry.
Among manufacturers, almost three quarters (72%) think they excel in this area. Even among gaming and entertainment companies, where confidence levels are lowest, almost half (49%) say they are ‘leading’ or ‘almost leading’ their industry.
Similarly, 59% of companies say their industry is ‘extremely’ or ‘very well’ prepared against cyber-attacks. Meanwhile, only 36% of companies think that their industry is ‘very’ or ‘extremely’ exposed to cyber-attacks.
Fact or fiction?
Companies’ optimism is at odds with the ever-increasing number of publicly documented cyber incidents, never mind the incidents that companies choose to keep quiet about or simply never detect.
Nearly half (46%) of British businesses discovered at least one cyber-security breach or attack in the past year, according to the UK government2. Among medium to large companies, more than two-thirds fell victim to a cyber-breach or attack. For larger organisations in particular, the cost of a cyber-breach can run into millions of pounds, with additional hits to a company’s reputation and customer base.
Our research found that senior business leaders’ confidence in their companies’ cyber mitigation is also incongruent with the steps they actually take to protect themselves:
the great majority of companies are not minimising the risk of being hacked. Only 8% of companies take measures to detect whether they’ve been hacked every day – something all companies should do
many companies do not do enough to minimise the risk of human-error related cyber incidents – with only 58% making new staff aware of their cyber security processes and procedures
many companies do not have sufficient board-level buy-in to implement effective cyber breach3 scenario planning – with only 50% involving their boards
many companies are ill-prepared for the communication challenges that would follow a cyber-breach – with only 26% involving their Head of PR and Comms when planning for a breach
the Head of HR is only involved in planning for a cyber-breach in 7% of companies – worrying, considering how a breach could affect employees (for example, through the loss of personal data).
When it comes to their cybersecurity, are companies being too complacent, or are they simply unaware of the true nature of their cyber risks? It may well be a bit of both.
Companies often struggle to find good-quality data on other companies’ cyber mitigation, inside or outside their own industry. If you’re in charge of a company’s cybersecurity, it’s a constant challenge to know how your company’s cybersecurity compares with others, and to understand what ‘good’ looks like.
We also often see a gap between what the board think their company is doing regarding cybersecurity and the reality. This could be the result of boards not fully understanding their company’s cyber risks, or security professionals and others ineffectively communicating these issues to the board, or both.
The exact reasons for this over-confidence will doubtless differ between companies and industries. It is clear, however, that many UK companies’ cyber risk mitigation is inadequate. Despite the almost daily reportage of cyber incidents, many companies still do not appreciate the severity of cyber risks, or simply lack the resource and expertise to manage them.
Over the next few months, Lockton will be sharing results from our UK Cyber Security Survey 2017. Alongside the results, we will provide advice and analysis on various aspects of cybersecurity, including:
cyber-breach scenario planning
hacking detection measures
working with third parties after a breach
managing staff-related cyber risks
cyber risks companies expect to increase most.
UK companies have made great improvements to their cybersecurity in recent years. It seems, however, that the really hard work is still to come.
Peter Erceg – senior vice-president, Global Cyber and Technology